Enabling Intelligent Branch with SD-WAN and Kubernetes

An Edge Computing Use-Case



For any financial or commercial establishment, a branch is the important touch point with their customers. In addition, the majority of an enterprise workforce today work out of the various enterprise branch locations.

The traffic originating from enterprise or commercial branch locations has seen an exponential trend in the past few years primarily contributed by the increase in the number of network-connected devices at any branch location.

For example, in the year 2000, the number of network-connected per user averaged from 0 to 1, hence for a branch with 20 users, the total number of devices averaged to about 5 to 10. In 2020, that number for a small branch is projected to be close to 100 as the number of devices per user has increased to 6.8.

The primary drivers for this change are:

  • Number of network-connected devices per employee
  • Number of network-connected endpoints in a branch ( e.g. Wi-Fi endpoints, IoT endpoints, Video/Audio conferencing, CCTV.)
  • Add-on services offered to the customers (e.g. Guest Internet access, Self Service Kiosks, AR/VR services)

Hence, the type of traffic generated by branches has moved from just application/client traffic to the data center to these new services which make up more than 80% of the traffic exiting the branch location.

Typical enterprise branch network is implemented in a hub-spoke model where all the traffic is sent to the Hub (Data Centre(s) or Cloud Services) where the core of the decision-making apps reside. This model is implemented in most of the enterprises as it is time-tested and works well by keeping the decision making capability in a central hub.

But as more add-on services are being rolled out to the branch, this model introduces various issues such as latency, very high bandwidth requirement and also government regulations where certain data cannot leave the country. For example, new services such as Biometric Authentication services, IoT endpoints brings in new challenges as sending data across the network to a central hub for every decision will ensure a bad customer experience as its directly proportional to the latency on the network.

Secondly sending all traffic to the Hub increases the bandwidth requirements on the MPLS which impacts the overall Capex/Opex of an enterprise.

With computers becoming a lot cheaper and with heavy data requirements for Big Data, IoT, AI, a method to solve this is by making the branch more intelligent and an enabler for decisions and relying on hub only for very critical processing, which makes it an interesting use case for Edge Computing. And, in addition by making the network more intelligent, the traffic could be steered dynamically between various branches depending on the available resources.

To enable such an intelligent branch with dynamic workloads and agile branch network, we need three major components:

3.An Orchestrator

Both Kubernetes and SD-WAN are technologies which many enterprises are actively evaluating or already running in production. Hence, this use-case acts as a natural extension of these two well-known technologies.

Kubernetes consists of two components

Kubernetes Master nodes act as control and management plane for deploying containers
Kubernetes Worker nodes.

In this use case, Kubernetes master nodes are deployed in the Hub Sites and the Kubernetes worker nodes, are deployed on the computes in the branch sites.

For SD-WAN, a controller and management layer is deployed in the hub site with the data plane distributed in all of branch and hub sites.

Both Kubernetes Master and SD-WAN management layer expose the north-bound layer. An orchestrator is required to connect the API’s between Kubernetes Master and SD-WAN.

The orchestrator will be enterprise specific code, which is developed in-house.

The Interconnection between Kubernetes and SD-WAN enables an enterprise operations team to dynamically deploy container workloads on branch locations, and actively enabling right SD-WAN policies to help control and steer traffic based on the workloads deployed.

For example, of an authentication App is deployed in a branch, then authentication requests originating from remote or small branches closer to this branch can be steered towards it rather than sending it to the hub site. This change can be done by enabling dynamic policies on SD-WAN.


To enable an Intelligent branch with edge computing, the following steps needs to be considered:

MicroServices and Containerization:

To initially deploy kubernetes and start rolling out apps, the first step is to assess the state of applications deployed in the enterprise, to understand which apps could be moved to MicroServices and containers are built out of it. This step is very important in understanding the current state of apps in an enterprise.

Kubernetes Deployment Architecture:

For most common use-cases, Kubernetes master and worker nodes are deployed in the hub site. When deploying the worker nodes in branch sites, the latency between master and worker, management of computing resources and security needs to be considered.

Identifying Branch Sites:

Not all branches would need to host its own Kubernetes workers. Depending on the type of application currently deployed on the kubernetes cluster. a single branch site in a geographic location can be chosen for deploying a Kubernetes worker and using SD-WAN policies and branches near to this site can be steered

Workforce Skills Transformation:

Since this use case attempts to connect SD-WAN with Kubernetes, which is currently managed by two different teams, the teams should be trained to understand both the technologies. Hence it becomes imperative for network engineers to understand kubernetes and for system engineers to understand SD-WAN.


Currently there is no vendor based software to integrate SD-WAN with Kubernetes. Since most SD-WAN vendors provide an API rich management layer, a simple orchestrator can be built in-house that maps applications deployed on Kubernetes to SD-WAN policies making it easier for the operations team to manage deployments from a single pane of glass.

PoC and Testing:

Before moving an application to this deployment, a true PoC needs to be performed. Since both Kubernetes and SD-WAN works in a virtual layer, virtual PoC can be performed by emulating the current enterprise network along with Kubernetes and the specified application. Once all the concerned teams have gained confidence that the specific app is able to work in this distributed setup, the teams can have the app deployed in a couple of branch sites to test out the performance and then rolling it out to other sites.


For an enterprise today, both Kubernetes and SD-WAN are technologies that are either already part of the roadmap or in evaluation or operational stage. The use-case of enabling an intelligent branch is an extension to both SD-WAN and Kubernetes along with enterprise-specific glue-logic. This edge computing use-case will enable enterprises to roll out next-generation services such as Big Data, IoT, Video, Mobility quickly and also helps in ensuring traffic reduction between branch and hub sites. Enterprises can make use of this use-case to also quickly scale branches and move applications and policies in a seamless manner without the operational overhead.

Evolution of SD-WAN

In 1997, the first IETF MPLS working group was formed. MPLS technology was evolving very fast and everyone in the industry was busy in writing standards for Layer-3 VPN, Traffic engineering and other areas in MPLS. Internet was growing faster than ever and by Year-2000 MPLS became a de-facto standard for connecting critical network for organizations.


In 2018, almost 2 decades later, big-data, machine learning, and artificial intelligence have taken center stage and it has posed new challenges to network architects. Demands on current networks are evolving faster and large networks are observing exponential growth rate in terms of bandwidth due to cloud computing, mobile devices, and video usage. Some of these trends helped the evolution of SD-WAN i.e. Software-Defined Wide Area Network. As per analysts, SD-WAN market is predicted to grow 8 times by 2021.

Key drivers of SD-WAN

key drivers-SDWAN

IoT (Internet of Things) is demanding all-time high visibility and analytics into thousands of devices connected to any network. SD-WAN provides a central management dashboard to all your devices and provides a rich experience.

Security is not anymore appliance-based as most of the applications are moving to cloud. It needs a shift in security measures and also in security products. Today’s companies prefer network architectures that integrate policy, security, and orchestration. SD-WAN can help you to provide consistent and unified security to all your network. Cloud security is also becoming a booming market due to these shifts of applications from on-premise to public clouds.

SD-WAN provides improved application performance and quality of service for remote and branch workers through intelligent path selection or Application Aware Routing. Policy creation and activation were never so easy in the past.

Reduced cost in comparison to MPLS WAN links as SD-WAN allows you to leverage lower-priced broadband and LTE connections. In addition, the hybrid WAN architecture allows you to have a mix of different technologies and leverage the best whatever you need.

At times, some SaaS applications require direct internet access, based on deployments. SD-WAN is really helping in those scenarios as it comes with built-in DIA (direct internet access) features.

SD-WAN Architecture

SD-WAN architecture can be divided into three layers i.e. Infrastructure Layer, Controller Layer, and Application Layer. This architecture is based on standard software-defined networking and SD-WAN is built with similar objectives.

SD-WAN Architecture

Image Source: Viptela

Infrastructure layer acts as the foundation of SD-WAN architecture. It consists of a physical layer and virtual network devices.

Controller layer consists of a centralized control plane for the entire WAN network and it provides a single centralized view.

Application Layer consists of network services, orchestration tools, and business applications that interact with the controller layer.

In addition to infrastructure, controller and application layer, security is another important design aspect of SD-WAN. In traditional networks, methods for providing security are highly manual and don’t scale. For example, certificates are typically installed manually rather than installed in automation fashion.

One important component of SD-WAN is the communication protocol between the centralized control plane and the distributed data plane. The protocol helps in distribution of policies/routes/keys and certificates across the data plane to enable an agile WAN environment. The protocol can be either be proprietary or use open standards. For example, in Cisco SD-WAN, this is played by the proprietary protocol OMP, which helps in distribution of Keys/Policies/routes between the WAN edge devices and the control plane. The protocol stack uses DTLS as an underlying transport to ensure quick and secure mode of communication and hence can be extended to a very large WAN network.

Business Impact of SD-WAN

In past, there have been many innovations which are cutting-edge in terms of technology but unfortunately, they don’t add great value to the business. It is possible due to higher initial cost to use those technologies or they are far too complex for wider usage.

SD-WAN is not only good in theory but it is making a major transformation in the industry. It is visible from the fact that Cisco is planning to bring SD-WAN to 1-million ISR routers as per recent blog. [Source]

SD-WAN makes the biggest impact on business in terms of operating cost. Enterprises are dependent on MPLS networks for security, system uptime, and various other reasons. SD-WAN brings down this cost by a huge factor and it allows you to use the normal internet or LTE connections with full security. SD-WAN is able to provide centralized configuration for better operational costs. Finally, it also brings network in a state where a network can be orchestrated seamlessly. Zero-touch provisioning and direct cloud connectivity are another major business impacts of SD-WAN.

Industry Landscape

Software-defined networking is not an academic term anymore as it is playing an active role in this major transformation of a wide area network. Centralized controller, unified policies, segregation of data-plane and control-plane are becoming a reality.

SDWAN industry landscape has observed many acquisitions in the past 12 months. Last year in August 2017, Cisco acquired Viptela on August 1, 2017, for 610 Million$ and later VMware acquired Velocloud on November 2017. As SDWAN market is growing rapidly, industry landscape may change faster than expected.

As per industry reports, there are thousands of enterprises who have already deployed SDWAN and this number is growing really fast. As per Gartner report, By 2018 more than 60 percent of enterprises will have deployed direct internet access in the branch offices (up from less than 30 percent 2 years back). SDWAN is highly recommended for enterprises which are adding remote or branch sites on a regular basis as it is so seamless through SDWAN to add a new branch to your network.


Criterion SDCloud®

Criterion Networks is a network transformation partner for service providers and large enterprises to accelerate their journey in adopting SD-WAN.

Criterion’s cloud-based solution acceleration platform, Criterion SDCloud® is tailored for customized network transformation use-cases. Criterion SD-WAN Designer offering allows users to plan, design and spin up PoV by using a drag-drop canvas. It allows users to build various SD-WAN topologies instantly and allows users to seamlessly run customer PoC. It is feature-rich and comes with WAN impairment toolset and traffic generator for emulating underlay transports such as MPLS and Internet.

Criterion also provides end to end suite of enablement offerings such as workshops, learning labs and sandboxes to make SD-WAN partners PoV ready.



Criterion Networking Academy accredited to administer and award IPv6 Forum silver and gold engineer certifications